So the problem with Alex's fix is that it makes a default allow profile available on the default install. Which is a security hole unless the apparmor_restrict_unprivileged_unconfined restriction is enabled, by default.
We tolerate the sbuild profile because it is not installed by default, and it really needs very broad privileges to work. Just like lxd etc installing it is assumed to accept some risk. On plucky we are trying to have apparmor_restrict_unprivileged_unconfined enabled by default but it is one of the features that had to be reverted on previous releases. The restriction is also currently disabled by LXD, meaning the default allow os-prober profile becomes an attack vector if the machine has LXD. In the current default state on plucky we should be okay, so I am not opposed to making this public. But we also need to be aware that there are potential security concerns. For now lets run with Alex's fix. The AppArmor team will look into developing a tighter os-prober profile than Alex's fix, so we have that available if needed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2099811 Title: Os-prober segmentation fault one message for each partition on same PC Status in apparmor package in Ubuntu: Confirmed Status in os-prober package in Ubuntu: Confirmed Bug description: Reporting this bug on os-prober, my bug https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2099662 was incorrectly attributed to grub corrado@corrado-n3-pp-0223:~$ sudo os-prober [sudo] password for corrado: find: Failed to restore initial working directory: /home/corrado: Permission denied Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault corrado@corrado-n3-pp-0223:~$ Attaching related journal ProblemType: Bug DistroRelease: Ubuntu 25.04 Package: os-prober 1.83ubuntu2 ProcVersionSignature: Ubuntu 6.12.0-15.15-generic 6.12.11 Uname: Linux 6.12.0-15-generic x86_64 ApportVersion: 2.31.0+git20250220-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Feb 23 15:46:27 2025 InstallationDate: Installed on 2025-02-23 (0 days ago) InstallationMedia: Ubuntu 25.04 "Plucky Puffin" - Daily amd64 (20250223) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: os-prober UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2099811/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
